Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Palo Alto Networks login portal scanning surged nearly 500% in one day

Target Trend
First reported
Last updated
Happening score
H score 49
2 unique sources, 2 articles

Summary

Hide ▲

A nearly 500% surge in scanning against Palo Alto Networks login portals on October 3, 2025 signaled a sharp jump in reconnaissance against enterprise access surfaces. The activity reached as many as 1,300 unique IP addresses, with most classified as suspicious and a smaller share as malicious. The scanners were described as targeted and structured, and the geographic spread was dominated by the U.S. with smaller clusters in the U.K., the Netherlands, Canada, and Russia. The pattern resembles recent Cisco ASA scanning and matters because similar surges can precede new CVE disclosures.

Related Happenings

Residential proxy traffic evades IP reputation feeds across malicious edge sessions

Target Trend
First: 02.04.2026 18:21 Last: 02.04.2026 18:21 Sources 1

About this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...

Open Happening

Operation Lightning takedown of SocksEscort proxy service

Law Enforcement
First: 13.03.2026 12:00 Last: 13.03.2026 12:00 Sources 1

About this happening: International law enforcement partners **dismantled** the **SocksEscort** proxy service in **Operation Lightning**, disrupting a cybercrime network used to hide originating IP add...

Open Happening

TGR-STA-1030/UNC6619 Shadow Campaigns espionage operation

Campaign
First: 07.02.2026 17:09 Last: 07.02.2026 17:09 Sources 1

About this happening: The **TGR-STA-1030/UNC6619** operation **Shadow Campaigns** expanded a state-sponsored espionage effort that compromised **at least 70 organizations** across **37 countries**, inc...

Open Happening

GreyNoise-observed LLM endpoint enumeration campaign

Campaign
First: 09.01.2026 21:56 Last: 09.01.2026 21:56 Sources 1

About this happening: **GreyNoise** observed a **December 28** campaign that generated **80,469 sessions** over **11 days** while probing **more than 73 exposed or misconfigured LLM endpoints**. The ac...

Open Happening

Cisco SSL VPN and GlobalProtect credential-probing campaign

Campaign
First: 18.12.2025 06:10 Last: 18.12.2025 06:10 Sources 1

About this happening: A **coordinated credential-based campaign** is now probing **Cisco SSL VPN** and **Palo Alto Networks GlobalProtect** portals at scale, raising the risk of unauthorized access att...

Open Happening

Timeline

  1. 04.10.2025 13:39 3 articles · 7mo ago

    Palo Alto Networks login portal scanning spike

    Detection Ioc Update

    On October 3, 2025, scanning against Palo Alto Networks login portals surged to nearly 500% above the prior baseline, with as many as 1,300 unique IP addresses participating. The activity was described as targeted and structured, with 93% of the IPs classified as suspicious and 7% as malicious, and the largest concentration of addresses geolocated to the U.S. with smaller clusters in the U.K., the Netherlands, Canada, and Russia.

    Show sources
    Open in new tab
  2. 04.10.2025 13:39 1 articles · 7mo ago

    GreyNoise discloses scanning surge and Cisco ASA overlap

    Initial Disclosure

    On October 4, 2025, GreyNoise disclosed the Palo Alto Networks login-portal scanning surge and said the traffic shared characteristics with Cisco ASA scanning seen in the previous 48 hours, including regional clustering and a dominant TLS fingerprint tied to infrastructure in the Netherlands. GreyNoise also reiterated its warning that surges in malicious scanning, brute-forcing, or exploit attempts can be followed by disclosure of a new CVE affecting the same technology within six weeks.

    Show sources
    Open in new tab